Configuring and applying connection-rate ACLs

​

ip access-list connection-rate-filter < crf-list-name >

Creates a connection-rate-filter ACL and puts the CLI into the ACE context:

switch(config-crf-nacl)#

If the ACL already exists, this command simply puts the CLI into the ACE context.

​

< filter | ignore > ip < any | host ip-addr | ip-addr mask-length >

Used in the ACE context to specify the action of the connection-rate ACE and the source IP address of the traffic that the ACE affects.

​

< filter | ignore >

​

​​The filter option assigns policy filtering to traffic with source IP address (SA) matching the source address in the ACE. The ignore option specifies bypassing policy filtering for traffic with an SA that matches the source address in the ACE.

​

ip < any | host ip-addr | ip-addr mask-length >

Specifies the SA criteria for traffic addressed by the ACE.

any

Applies the ACEs action (filter or ignore) to traffic having any SA.

​

host ip-addr

Applies the ACEs action (filter or ignore) to traffic having the specified host SA.

​

ip-addr mask-length

Applies the ACEs action (filter or ignore) to traffic having an SA within the range defined by either:

​<src-ip-addr/cidr-mask-bits>

or

​<src-ip-addr <mask>>

Use this criterion for traffic received from either a subnet or a group of IP addresses. The mask can be in either dotted-decimal format or CIDR format with the number of significant bits. See Using an ACL in a connection-rate configuration example.

​

ip access-list connection-rate-filter crf-list-name

Creates a connection-rate-filter ACL and puts the CLI into the ACE context:

​

switch(config-crf-nacl)#

If the ACL already exists, this command simply puts the CLI into the ACE context.

​

< filter | ignore | < udp | tcp > < any >

​

< filter | ignore | < udp | tcp > < host ip-addr > [ udp/tcp-options ]

​

< filter | ignore | < udp | tcp > ip-addr mask-length [ udp/tcp-options ]

Used in the ACE context (above) to specify the action of the connection-rate ACE (filter or ignore), and the UDP/TCP criteria and SA of the IP traffic that the ACE affects.

​

< filter | ignore >

filter

​This option assigns a policy of filtering (dropping) IP traffic having an SA that matches the source address criteria in the ACE.

ignore

​This option specifies a policy of allowing IP traffic having an SA that matches the source address criteria in the ACE.

​

< udp | tcp > < any | host > ip-addr | ip-addr mask-length

Applies the filter or ignore action to either TCP packets or UDP packets having the specified SA.

any

Applies the ACEs action (filter or ignore) to IP traffic having any SA.

host <ip-addr>

Applies the ACEs action (filter or ignore) to IP traffic having the specified host SA.

ip-addr <mask-length>

Applies the ACEs action (filter or ignore) to IP traffic having an SA within the range defined by either:

<src-ip-addr/cidr-mask-bits>

or

<src-ip-addr <mask>>

Use this criterion for traffic received from either a subnet or a group of IP addresses. The mask can be in either dotted-decimal format or CIDR format with the number of significant bits. See Using an ACL in a connection-rate configuration example.

​[udp/tcp-options]

​

destination-port <tcp-data> [ source-port <tcp-data> ]

​

source-port <tcp-data> [ destination-port <tcp-data> ]

​

destination-port <udp-data> [ source-port <udp-data> ]

​

source-port <udp-data> [ destination-port <udp-data> ]

tcp-data: operator tcp-port-#

udp-data: operator udp-port-#

​

operator < eq | gt | lt | neq | range >

​

​

eq <port-nbr-or-name>

"Equal To": To have a match with the ACE entry, the TCP or UDP source-port number in a packet must be equal to the specified port number.

​

gt <port-nbr-or-name>

"Greater Than": To have a match with the ACE entry, the TCP or UDP source-port number in a packet must be greater than the specified port number.

​

lt <port-nbr-or-name>

"Less Than": To have a match with the ACE entry, the TCP or UDP source-port number in a packet must be less than the specified port number.

​

neq <port-nbr-or-name>

"Not Equal": To have a match with the ACE entry, the TCP or UDP source-port number in a packet must not be equal to the specified port number.

​

range <start-port-nbr/name> <end-port-nbr/name>

To have a match with the ACE entry, the TCP or UDP source-port number in a packet must be in the range <start-port-nbr/name> <end-port-nbr/name>.

tcp-data or udp-data

TCP or UDP​ Port Number or (Well-Known) Port Name:

Use the TCP or UDP port number required for the desired match. The switch also accepts certain well-known TCP or UDP port names as alternates to their corresponding port numbers:

TCP/UDP-PORT:

Specify port by number.

​

bootpc

Bootstrap Protocol, client (68)

bootps

Bootstrap Protocol, server (67)

dns

Domain Name Service (53)

ntp

Network Time Protocol (123)

radius

Remote Authentication Dial-In User Service (1812)

radius-old

Remote Authentication Dial-In User Service (1645)

rip

Routing Information Protocol (520)

snmp

Simple Network Management Protocol (161)

snmp-trap

Simple Network Management Protocol (162)

tftp

Trivial File Transfer Protocol (69)

​

[no] vlan <vid> ip access-group <crf-list-name> connection-rate-filter

This command applies a connection-rate access control list (ACL) to inbound traffic on ports in the specified VLAN that are configured for connection-rate filtering. A connection-rate ACL does not apply to ports in the VLAN that are not configured for connection-rate filtering.

The [no] form of the command removes the connection-rate ACL assignment from the VLAN.

	NOTE: The switch allows only one connection-rate ACL assignment per VLAN. If a connection-rate ACL is already assigned to a VLAN, assigning another to the same VLAN overwrites the first ACL with the second. A connection-rate ACL can be in addition to any standard or extended ACLs already assigned to the VLAN.